PR.AA-05 Access Permissions and Authorizations - NIST CSF 2.0 Checklist

PR.AA-05 requires organizations to access permissions, entitlements and authorizations are defined based on the principles of least privilege and separation of duties. This NIST CSF 2.0 control falls under the Protect (PR) function and the Identity Management, Authentication and Access Control category. Use this checklist to verify implementation and prepare evidence for auditors.

Control Details

Control ID: PR.AA-05
Title: Access Permissions and Authorizations
Function: Protect (PR)
Category: Identity Management, Authentication and Access Control
Framework: NIST CSF 2.0

Access permissions, entitlements and authorizations are defined based on the principles of least privilege and separation of duties.

Access permissions, entitlements and authorizations are defined based on the principles of least privilege and separation of duties. Users receive only the access necessary to perform their job functions.

Why This Matters

Excessive permissions expand the blast radius of any compromised account. Least privilege limits what an attacker can do after initial access and reduces insider threat risk.

Implementation Checklist

Use this checklist to verify your organization meets the requirements of PR.AA-05.

Define role-based access control profiles for all job functions
Implement least privilege for all user and service accounts
Enforce separation of duties for critical processes such as financial transactions
Review and certify access entitlements at least semi-annually
Remove or reduce standing privileged access using just-in-time elevation
Document and approve all exceptions to least privilege requirements

Evidence an Auditor Expects

Prepare the following documentation and artifacts to demonstrate compliance with PR.AA-05 during an audit.

RBAC role definitions mapped to job functions
Least privilege policy documentation
Access certification review reports with remediation evidence
Just-in-time access request and approval logs
Separation of duties matrix for critical processes

Common Gaps We Find

Based on our penetration testing and risk assessment engagements, these are the gaps organizations most frequently have with PR.AA-05.

Users accumulate permissions over time through role changes without revocation of prior access
Separation of duties is not enforced in financial or administrative systems
Standing admin access is granted permanently rather than on a just-in-time basis

FAQ

What does PR.AA-05 require?

PR.AA-05 (Access Permissions and Authorizations) requires that access permissions, entitlements and authorizations are defined based on the principles of least privilege and separation of duties. Users receive only the access necessary to perform their job functions. This control is part of the NIST CSF 2.0 Protect function under the Identity Management, Authentication and Access Control category.

How do I prove compliance with PR.AA-05?

To demonstrate compliance with PR.AA-05, prepare the following evidence: RBAC role definitions mapped to job functions; Least privilege policy documentation; Access certification review reports with remediation evidence. Auditors will verify that these artifacts exist and reflect current operational practices.

Need Help Meeting NIST CSF 2.0 Requirements?

Our penetration testing and risk assessments map directly to NIST CSF 2.0 controls. Sherlock Forensics identifies gaps in your compliance posture and provides actionable remediation guidance.

Get a Compliance Assessment